[Emerging-Sigs] W32/Kyle Should Be Trojan?

Kevin Ross kevross33 at googlemail.com
Thu Sep 18 06:53:19 EDT 2014


Also these beacons to the Stan part which was detected only by session UA
sig and one my own (lots of sigs look for malware looking POST stuff and
then set flowbit for this final sig to be fired - works pretty well
although I don't want to depress myself looking at the performance although
done my best :) )

Anyway just a heads up for other indicators for people to look at.

On 18 September 2014 10:19, Kevin Ross <kevross33 at googlemail.com> wrote:

> Hi,
>
> I am wondering if the W32/Kyle sig should be updated to ET Trojan? I saw
> it this morning downloading a file which while it apparently was corrupted
> even though I had no missing bytes (going to manually carve again from
> recovered PCAP to be sure) Virsutotal suggests on 1 AV suggested it was
> Zeus:
>
>
> https://www.virustotal.com/en/file/0f01ae1eeed77b3cadd6fdc53cc3d43b244da172b32f389890cf48914a060941/analysis/
>
> Kind regards,
> Kevin Ross
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/d7cd1a41/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Stan2 - Copy.png
Type: image/png
Size: 56234 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/d7cd1a41/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Stan1 - Copy.png
Type: image/png
Size: 58781 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/d7cd1a41/attachment-0003.png>


More information about the Emerging-sigs mailing list